Prekindergarten through Grade 12 Education

Request for Information (RFI)

Enterp/rise Identity and Access Management (EIAM) System

Update 8/8/14: NYSED appreciates the interest in this RFI by the vendor community. At this time, no decision has been made about whether or not a RFP will be issued for an Enterprise Identity and Access Management System. NYSED has decided not to proceed with asking vendors to provide presentations to NYSED regarding their EIAM solutions at this time.

The New York State Education Department (NYSED) hereby issues this “Request for Information” (RFI) to determine system capabilities with respect to NYSED’s EIAM System needs.

1.1 ORGANIZATION BACKGROUND

The New York State Education Department (NYSED) is responsible for oversight of all educational institutions in the state, for operating certain educational and cultural institutions, for certifying teachers, and for registering and licensing practitioners of more than 40 professions. NYSED’s supervisory activities include chartering all educational institutions in the state, including schools, libraries, museums, and historical societies; accrediting college and university programs; allocating state and federal financial aid to schools; and providing and coordinating vocational rehabilitation services.

A Board of Regents, consisting of 17 members elected by the state legislature, governs NYSED. The Board oversees the University of the State of New York (USNY), consisting of all public and private schools, colleges and universities, chartered libraries, museums, historical societies, and other educational institutions in the state. NYSED’s chief executive officer is the Commissioner of Education and President of the University, who is appointed by the Board of Regents.

NYSED is composed of these major organizational areas:

Office of P-12 Education

Office of Higher Education

Office of Cultural Education

Office of Counsel

Office of State Review

Office of Professions

Adult Career and Continuing Education Services

Office of Operations and Management Services

The Office of P-12 Education has primary responsibility within NYSED for measuring student performance and implementing accountability measures in schools. This office plays a central role in the collection, management, and reporting of educational data. The P-12 website contains additional information on the programs, services, and organization of that office, including information about current educational data collection and reporting.
(http://www.p12.nysed.gov/offices.html).

Public school districts and charter schools are known as Local Educational Agencies (LEAs) in New York State. These LEAs are responsible for administering and operating the individual public schools within a district.
A complete description of the University of the State of New York and the State Education Department can be found at http://usny.nysed.gov/about/.

1.2 PROJECT CONTEXT

NYSED aims to implement a robust EIAM system, which would provide secure authentication (verifying identity) and authorization (approving and providing access to services) for several groups of stakeholders including:

NYSED employees and agents

Constituents of the P-12 public education system in NYS including:

Educators, school leaders, district administrators, etc.

Parents/Guardians and students

Vendors conducting business with NYSED

Other constituents (e.g. professionals doing business with NYSED’s Office of the Professions)

Existing systems that either provide identity and access management capabilities or are protected by such capabilities include identity directories, authorization systems and end-user applications and include:

Active Directory (AD). This is the directory behind the new EngageNY Portal.

TEACH - Source system for all NYS and NYC teachers who are certified (and typically fingerprinted) for work within New York State schools.

TAA (Teacher Authentication and Authorization) - TAA PIN Process is used to associate a teacher to multiple locations and/or multiple LEAs and also to her OID account with association via the unique identifier, the TEACHID.

Initially, the implementation of an EIAM system at NYSED will focus on migrating technologies that support the EngageNY Portal program. The Portal offers a secure single sign-on (SSO) environment for role-based access to data dashboard and content management applications to educators, students, and their guardians.

This RFI seeks information regarding possible solutions that would replace the existing IAM supporting the Portal and will later provide a foundation for identity management, federation, authentication and authorization, and application on-boarding services needed to support business needs across the agency and with additional stakeholders and constituents.

The IAM solution is intended to support NYSED as well as locally (e.g. LEA, BOCES, RIC etc.) sourced or built applications and should be capable of integrating with emerging student record APIs and leveraging a statewide ID system (NY.gov ID – see https://my.ny.gov/)

NYSED is interested in the possibility of being able to support federation e.g. with NYC and/or multiple districts / BOCES-Regional Information Centers (RICs) who might in the future wish to integrate their own directories or IDPs.
To support the Portal the EIAM system must service approximately 2.9 million students, 5.8 million guardians (of NYS public school students), and 200,000 educators in various educational organizations spanning New York State. The EIAM solution must be fully developed (or configured), tested, and deployed to users by September 1, 2015.

1.4 EDUCATION ENVIRONMENT COMPLEXITIES

Criteria used to make access decisions in the EngageNY Portal are complex. User Roles, Educational Organization membership and Context define the scope and type of data that a user can access:

Figure 1- Basis of Effective Permissions

NYSED defines User Roles and associated permissions for student record access management. The IAM solution is expected to manage these roles within the context of the EdOrg hierarchy (see Appendix A for more information on EdOrg hierarchies).

1.5 RFI CONTACT INFORMATION

Interested Entities are encouraged to submit a written “Letter of Interest,” including a cover letter on company letterhead, characterizing their interest and background. Information pertaining to ideas, concepts, design issues, and practical knowledge gained from relevant experiences implementing EIAM solutions is being sought. Additionally, responses to the questions and inquiries listed in Section 2 are requested. NYSED may, at its discretion, invite interested entities to visit its offices at 89 Washington Avenue, Room, Albany, New York, for further discussions.

Note:This IS NOT a Request for Proposals. It is an invitation to provide the NYSED with information regarding current technologies and viable approaches to implementing an Enterprise Identity and Access Management System. Additionally, responses will be used to gauge the level of interest in the EIAM Project. Information obtained may be used to develop a needs requirement upon which a future procurement might be based. If further discussion is required, or should questions arise, please contact the NYSED contact person listed below.

Participation in this RFI is voluntary, and NYSED will not pay for the preparation of any information submitted by a respondent or for NYSED’s use of that information.

Vendors are advised that if any part of their response to this RFI contains trade secrets or is submitted to NYSED by a commercial enterprise or derived from information obtained from a commercial enterprise and which, if disclosed, would cause substantial injury to the competitive position of the subject enterprise, then vendors should identify such in their response.

NYSED may issue announcements amending this RFI in response to vendor questions. In addition, after reviewing RFI responses, NYSED may request clarifying information from vendors who offer information of specific interest to NYSED.

1.6 ADMINISTRATIVE GUIDANCE FOR RESONDENTS

RFI schedule:

March 26, 2014

RFI published

April 7, 2014

Deadline for questions

April 21, 2014

Response to questions issued

May 5, 2014

Deadline for receipt of responses
(The deadine has been revised from April 28 to May 5)

RESPONSE REQUIREMENTS

2.1 RESPONSE OUTLINE AND ORGANIZATION

Responses should be organized as follows:

2.1.1 Cover Letter

The respondent should provide a cover letter (limited to no more than two pages in length) that includes the following corporate information:

Company Name

Contact Name

Title

Phone #

E-mail address

Mailing address

Fax #

Note: Provide additional contact persons as needed.
Respondents should also provide the following information:

Whether the company is publicly or privately held (if public, provide company symbol)

Number of full-time employees

2.1.2 Company Information

The vendor shall summarize its experience in the Enterprise Identity and Access Management systems field. An indication of the extent and scope of the experience should be provided, including:

Length of time your company been providing Enterprise Identity and Access Management systems

Prior Enterprise Identity and Access Management systems design or implementation work you have performed with other educational entities, including the dates of this work

Contacts in educational entities that you have worked with

The role of your company in these engagements (e.g., primary or sub-contractor)

The project phases in which your company participated

The environments in which the systems were implemented

Any partnerships or alliances your company has that would provide benefits to the project

Based on the experience outlined above, vendors should identify the following:

2.1.3 General Product Information

Company literature and brochures describing Enterprise Identity and Access Management products may be included as part of the response. While additional information links are not disallowed, NYSED prefers not to receive links wherein pertinent information is available but requires extensive searching.
Product information should include:

Overview of how the product works (including a system overview diagram). Transparency is desirable. The system needs to be explainable rather than a “black box.”

What are the hardware and software requirements for using the product?

What is the current version of the product? Are any major releases currently planned?

Is the product proprietary or open source?

Is the product typically hosted by the vendor (or a third party) or installed in-house?

2.1.4 Product Specifics

Is the solution internal or cloud based? If internal, what additional software and hardware would SED require if your proposed EIAM solution was adopted?

How does your proposed solution provide the following services?

Provisioning and de-provisioning of user accounts

Provisioning and de-provisioning of credentials

Provisioning and de-provisioning of access rights

What is the EIAM architecture of your proposed solution? Provide a complete description of each major component, its purpose and role in the overall solution.

How does your proposed EIAM solution ensure that any identity-management model can be expandable to include new forms of identity verification and assertions?

How would your product migrate the current EngageNY Portal catalog/authorization data into your solution?

How would you migrate IAM business rules into your product? How does your proposed solution implement the administration of accounts and access rights? Does the solution allow for centralized and delegated approaches?

Which web SSO systems does your proposed EIAM solutions support and interoperate with?

Describe how your proposed solution enables decisions about access to information resources to be made and administered by the owner of the resource. This includes determinations of levels of access to be granted to specific users, to specific roles to which users may be assigned, or both.

What audit, logging and reporting capabilities does the EIAM solution support?

What interfaces does your product include for managing these data (e.g., UI, APIs, messaging services, standards, and protocols, etc.)?

How does your product enable management of relationships between people and organizations (e.g., staff to LEA, teacher to course section, student to course section)? What interfaces does your product include for managing these relationship data (e.g., UI, APIs, messaging services, standards, and protocols, etc.)?

How does your product enable management of relationships between people (e.g., parent or guardian to student)? What interfaces does your product include for managing these data (e.g., UI, APIs, messaging services, standards, and protocols, etc.)?

Does your product support SIF 3.0 as a data transport and data format mechanism, or would you recommend different standards for data messaging and/or for the standardized format of education-specific data for use with your product(s)?

2.1.5 Implementation and Support Services

Include information about how you would typically provide support both during and after implementation. Include information on the following:

Implementation Services

Project Management

Detailed Requirements Gathering and Analysis

System Design

System Construction or Configuration

Integration and Testing

Documentation

Application Warranty Services

Training

Recurring (Annual) Services

Hosting

Application Maintenance, Technical Support and Help Desk Services

Describe options on how independent a customer is after implementation:

What aspects of support of the product are expected to be covered by NYSED’s functional and IT staff versus what is expected to be handled by your company?

What are the business and IT resources required in our organization to support the product after implementation?

2.1.6 Pricing Model

Include information about your pricing model for the product:

Do you charge a software licensing fee?

Do you charge by user, by server, by district?

Do you negotiate state-wide agreements with state educational authorities?

Do you offer a perpetual license agreement?

How are ongoing maintenance charges assessed?

2.1.7 Pricing Estimates

Include ballpark estimates for the following scenarios:

Fixed price estimate for a one-time implementation

Pricing estimates for 5-year, 10-year, and perpetual licensing

Pricing estimates for maintenance, technical support, and Help Desk Services to operate the solution